Hello, On Tue, Jul 21, 2009 at 04:44:28AM -0500, [email protected] wrote: > > >Then I will try to remember this thread when I look again at this bug. > >Hopefully soon. > > We can summarize the conclusions and post that to the bug. How does > that sound?
If the bug is solved this week ,that should be OK. > The PROPER behavior of pam_securetty is supposed to be that it returns > "failure" only when the user is "root" and the TTY is not "secure". This is not the current behavior of pam_securetty. I filed bug #537848 to ask for the invalid user check to be performed only in insecure lines. I do not know when the behavior changed (somewhere around PAM 1.0) > >This looks similar to a pam_securetty.so configured with: > >[success=ok new_authtok_reqd=ok user_unknown=ok ignore=ignore default=die] > > That's Greek to me. Despite repeated requests for funding, I was > unable to get AIX to use PAM while I was the AIX security architect. > I understand that the money was finally budgeted and PAM was doing > more properly since I left that department. >From pam.conf(5), "requisite" is identical to [success=ok new_authtok_reqd=ok ignore=ignore default=die] So I'm just adding that invalid users should be accepted (user_unknown=ok). As it is still default=die, root's password is not prompted (i.e. other modules in the PAM stack are not run) on insecure lines. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
